Loading...

XML

Word

Printable

JSON

Type: Bug
Resolution: Fixed
Priority: Major - P3
Fix Version/s: 4.2.3, 4.0.18, 3.6 Required
Affects Version/s: None
Component/s: None
Labels:
None

Backwards Compatibility:
Fully Compatible
Operating System:
ALL
Backport Requested:

v4.2, v4.0, v3.6
Sprint:
Security 2019-12-30
Case:
Confidence Status:
None
Work Order:
3
CAR Domain/s:
None

Aha! Reference:
None
Tracking Level:
None
Risk Status:
None
Exec Notes:
None
Goal Name(s):
None
Goal Link:
None

The Windows Kerberos client calls AcquireCredentialsHandle with a populated SEC_WINNT_AUTH_IDENTITY even when the user provides no password. In some customer setups, AcquireCredentialsHandle returns SEC_E_NO_CREDENTIALS as a result because the mongo client is asking for Windows to return something other then the default credentials.

While I cannot repro this issue locally, we have confirmed with the customers that if AcquireCredentialsHandle is called without SEC_WINNT_AUTH_IDENTITY, then clients can successfully connect. Both a patched shell and the node.js driver can successfully connect in these cases.

The fix is to not pass SEC_WINNT_AUTH_IDENTITY to AcquireCredentialsHandle unless the user specifies a password.

is related to

DRIVERS-2180 Kerberos on Windows should not pass username to SSPI when password is not set

Implementing

Assignee:: Mark Benvenuto
Reporter:: Mark Benvenuto
Participants:: Githook User, Mark Benvenuto
Votes:: 0 Vote for this issue
Watchers:: 4 Start watching this issue

Created:: Dec 10 2019 10:53:51 PM UTC
Updated:: Oct 29 2023 10:14:14 PM UTC
Resolved:: Dec 12 2019 06:27:38 PM UTC

Details

Description

Attachments

Issue Links

Activity

People

Dates